Best defense against hackers: Know your enemy

With networks under seemingly constant attack by increasingly sophisticated hackers who worm their way through the tiniest cracks in our defenses, it’s easy to fall into the habit of thinking about them as super villains capable of anything.

That is a mistake, says National Security Agency analyst Tony Sager. Although we should not underestimate our enemies, we should not overestimate them either.

“If you treat the bad guy as a wizard, you will never be able to counter his magic,” Sager said. “You need to understand his tradecraft to defend against him.”

Sager, who heads the Vulnerability Analysis and Operations Group in NSA’s Information Assurance Directorate, has spent more than 30 years studying the bad guys and their techniques. He knows what their capabilities are and what the capabilities are for countering them.

“This is a business that does attract very bright people,” on both sides of the fence, Sager said at a recent symposium hosted by Symantec. His recommended strategy for defense is pragmatic. “Your goal is not to build the perfect defense, but to interrupt him,” he said. If you can block him for long enough, if you can recover quickly enough from an intrusion, if you can raise the costs for an attack in terms of time and effort, then you can drive him off in search of easier targets elsewhere.

Playing defense is difficult because — in theory — the defender has to find every vulnerability that could be exploited, but the attacker has to find only one. But in reality attackers usually are like the rest of us – they take the path of least resistance, aiming for low hanging fruit and using tried and proven techniques. If you know these techniques, you can block them. This is what Sager means by “understanding their tradecraft.”

It’s all part of risk management. But in an environment in which incidents are continuously tallied and their numbers are constantly growing, people can forget that not every attack is successful and not every intrusion is a victory for the bad guy. This is the idea behind schemes such as the Consensus Audit Guidelines, which lists the top 20 critical controls for security systems. The goal is to prioritize your defenses by focusing on the vulnerabilities being targeted and the exploits being used by hackers. A successful defense does not necessarily put a hacker out of business, but it can at least keep him out of your business.

The strategy does have limitations. In the first place, it does not eliminate the attacker; it only drives him away to attack elsewhere. In the second place, once the tried and true techniques no longer work, a hacker probably will adopt new techniques and the game will begin again. And finally, there always will be some attackers who eschew well-known approaches, focusing instead on more sophisticated and targeted attacks.

For these reasons, depth and layers are needed for a good defense. Organizations should always have somebody trying to find all of the vulnerabilities, even if the job is impossible, and policies and processes for fixing vulnerabilities are needed even if the less important ones have to wait their turn for remediation.

But by understanding the opponent’s tradecraft, you can prioritize efforts, he said, and by getting the most bang for the buck on the front lines you might have more resources available to for your second and third lines of defense.

“The goal is not perfection,” Sager said. “The goal is to understand.”

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.